the giant black book of computer viruses phần 4 potx

... writes. First, DEVIRUS finds the end of the host file and uses that as the offset for the new STRAT routine, writing this value into the header. Next it hides the address of the old STRAT routine internally ... routine internally in itself at STRJMP, and then writes the body of its code to the end of the SYS file. That’s all there is to it. The logic of DEVIRUS...

Ngày tải lên: 14/08/2014, 18:22

... free at the time of the ;execution of the boot sector. ORG 0500H DISK_BUF: DB ? ;Start of the buffer ;Here is the start of the boot sector code. This is the chunk we will take out ;of the compiled ... loading, the virus would have crashed the system. (And that, incidently, is why the virus we’re discussing is the Kilroy-B. The Kilroy virus dis- cussed in...

Ngày tải lên: 14/08/2014, 18:22

... value in the code segment 60 The Little Black Book of Computer Viruses Offset Size Name Description 12H (Cont) properly. The INTRUDER virus will not alter the checksum. 14H 2 Initial ip The initial ... risk! It’s not like any other computer program you’ve ever run! 52 The Little Black Book of Computer Viruses infecting every EXE file on the system. To d...

Ngày tải lên: 14/08/2014, 18:22

... far. Not so, the computer virus, because it attaches itself to otherwise useful programs. The computer user will execute these programs in the normal course of using the computer, and the virus ... Bulletin, January, 19 94, p. 14. 3 The Crypt Newsletter, No. 8. Part I Self-Reproduction The GIANT Black Book of Computer Viruses by Mark Ludwig American Eagle Pub...

Ngày tải lên: 14/08/2014, 18:22

... relative to the start of the code in the EXE file. This is relocated by DOS at load time. 18H 2 Reloc Tbl Offset Offset of the start of the relocation table from the start of the file, in ... be the first byte of the virus. 3. Write the virus code currently executing to the end of the EXE file being attacked. 4. Write the initial value of ss:sp, as...

Ngày tải lên: 14/08/2014, 18:22

... function and then disassemble it. the virus is run. Thus, all of Developer A and Developer B’s clients could suffer loss from the virus, regardless of whether or not they developed software of their ... pushed on the stack and the function is called with a far call. In OS/2 the function names and the names of the modules where they reside are different, of course. For...

Ngày tải lên: 14/08/2014, 18:22

... move to the end of the file with the code mov ax,4C02H xor cx,cx xor dx,dx int 21H The true file length is then returned in dx:ax. To this number it adds the distance from the end of the file ... is stored at offset 4 in the List of Lists. System File Table entries are stored in blocks. Each block contains a number of entries, stored in the word at offset 4 f...

Ngày tải lên: 14/08/2014, 18:22

... should include them. At the other end of the scale, the fancier you want to get, the better. You can probably think of a lot of instructions that modify at most one register. The more possibilities ... EMPTY_8 042 mov al,0D1H out 64H,al call EMPTY_8 042 mov al,0DFH out 60H,al call EMPTY_8 042 ret ;This waits for the 8 042 buffer to empty EMPTY_8 042 : in al,64H a...

Ngày tải lên: 14/08/2014, 18:22

... in the directory where the file is missing, and you don’t have integrity data for any of them anymore. You scan them, sure, but the scanner turns up nothing. Why was the file missing? Are any of ... much work. All one has to do is calculate the size of the file from the EXE header, rather than from the file system, and use that to add the virus to the file. An altern...

Ngày tải lên: 14/08/2014, 18:22

... 91,209,1 74, 232,119,231,113, 241 ,101,56,222,207, 24, 242 ,40 ,236,6,183,206, 44 ,152, 14, 36, 34, 83,199, 140 ,1,156,73,197, 84, 195,151,253,169,73,81, 246 , 158, 243 ,22 ,46 , 245 ,85,157,110,108,1 64, 110, 240 ,135,167,237,1 24, 83,173,173, 146 ,196,201,106,37,71,129,151,63,137,166,6,89,80, 240 , 140 ,88,160,138,11, ... 2 14, 159,11,137,32,236,233, 244 ,75,166,232,195,101,2 54, 72,20...

Ngày tải lên: 14/08/2014, 18:22